TITAN

Previous page
Table of content
Next page

Unix and Linux environments present a unique challenge to " lockdown " or hardening scripts. Although just about every Unix variant has an /etc/passwd file, not all variants implement shadow passwords, or even store password hashes in the /etc/passwd or /etc/shadow file. Titan addresses this type of problem by applying a checklist to a specific set of operating systems. In practice, you may find that Titan is best suited for Solaris systems because the current Linux distributions have been updated so frequently that Titan has been unable to track all of the changes.

Titan is an excellent tool for establishing a secure base installation. Most of its configuration checks relate to file permissions and environment variables . Although many tests do apply to network security, Titan's advantages lie in the secure user environment it creates.

Note 

As with each tool described in this chapter, you should continue to monitor and install application security patches and test the configuration of applications installed after the host-hardening process.

Download and Installation

Titan is a collection of shell scripts that can be downloaded from http://www.trouble.org/titan/. Once you have obtained the tarball, unzip it in a directory (/tmp is a good choice). To install Titan, run the following command from the Titan- version directory (you must have root privileges): 

 [mike@Kaitain Titan,v4.1]$ sudo ./Titan-Config -I checking for dependencies... finding out where we are... we are in '/home/mike/tmp/Titan,v4.1' checking out your system... this system runs: Linux-2.6.11-12mdk-i686-up-4GB-i686 we will be using: RedHat setting up links... removing old links... linking bin into path... linking lib into path... linking logs into path... linking tmp into path... linking done. cleaning up is_root, sanity_check, Titan... pulling in local Titan script... Creating .trunrc in /home/mike/tmp/Titan,v4.1/arch,  /home/mike/tmp/Titan,v4.1/bin and /home/mike/tmp/Titan,v4.1/lib  for sane paths... \c Contents of .trunrc: ---------------------------------- TITANHOME=/home/mike/tmp/Titan,v4.1 export TITANHOME PATH=${PATH}:${TITANHOME}:${TITANHOME}/lib:/bin export PATH ---------------------------------- Creating .trunrc in the sub directories  /home/mike/tmp/Titan,v4.1/arch/RedHat/bin for sane paths... \c Done.. Run Titan utilities with 'Titan -[v,f,i]' after reading the Docs...                         OR Run Titan using a config file. (Titan -c sample.Server) after  reading the Docs Titan can back up all of the files it modifies; This is recommended NOTE: in the process of backing up files /etc/shadow as well as other  important files will be backed up. It is IMPORTANT that you keep this  backup SAFE, or delete it after you are sure Titan didn't do something  unwanted proceed? y/n:

You should quickly notice that Titan is verbose and provides good documentation. This is very favorable behavior because it runs under root privileges and, if instructed, will make modifications to file and directory permissions. Rest assured that the Titan-Config script does not perform any security checks or modify the file system; it sets up Titan's environment with soft links to the shell scripts and security definitions specific to the target operating system. If Titan does not recognize your system (via the uname command) or does not have checks defined for your system, its configuration script stops.

If you have never run Titan before or you are running it on a production system, be sure to create the directories necessary to save backup copies of any files that Titan may change. The output of the Titan-Config script provides instructions on how to accomplish this.

Implementation

Titan has two main modes: Verify Security Settings and Fix Security Settings. The Verify (-v ) mode performs each test and reports a pass/fail. The Fix ( -f ) mode performs each test and actually changes a failed point to its recommended setting. For example, if the /etc/passwd file is world-writeable, it will remove the world- writeable bit ( chmod o-w/etc/passwd ).

Always run Titan in Verify mode first to get an idea of the system's risk level. Here is portion of a Titan check against a Mandrivia 10.2 system: 

 [mike@Kaitain Titan,v4.1]$ sudo sh Titan -v *=*=*=*=* Running modules/add-umask.sh now..... No umask file /etc/rc.d/init.d/umask.sh found *=*=*=*=* Running modules/adjust-arp-timers.sh now..... *=*=*=*=* Running modules/aliases.sh now..... *=*=*=*=* Running modules/atset.sh now..... CRONLOG entry not found or misconfigured - FAILS CHECK /var/cron permissions - FAILS CHECK /etc/cron.daily/logrotate LIMIT - FAILS CHECK /etc/cron.deny NOT FOUND - FAILS CHECK *=*=*=*=* Running modules/create-issue.sh now..... Mandrakelinux release 10.2 (Limited Edition 2005) for i586 Kernel 2.6.11-12mdk-i686-up-4GB on an i686 / \l *=*=*=*=* Running modules/create-umask-redhat.sh now..... No umask file /etc/rc.d/init.d/umask.sh found *=*=*=*=* Running modules/cronlog-redhat.sh now..... CRONLOG entry not found or misconfigured - FAILS CHECK /etc/cron.daily/logrotate LIMIT - FAILS CHECK /etc/cron.deny NOT FOUND - FAILS CHECK

Even though certain items are false positives (such as the UMASK check), Titan has correctly found some security lapses, namely the presence of legitimate shells for the bin, daemon, adm, and lp system accounts in the /etc/passwd file. If we were to run Titan in Fix mode ( -f ), the shells would be replaced with a more secure setting that uses /sbin/noshell.

If you find Titan's output to be too plain, try the Intro ( -i ) mode. Running the checks leads Titan to print only a basic description of the check and whether the system passed or failed. On the other hand, intro mode provides a lengthier description that defines the security problem and solution that Titan is trying to address. This is an excellent feature for first-time users, junior sys admins, or novice security professionals. For example, run ./Titan I to get more information about the modules it runs and how they will affect the system in Fix ( -f ) mode: 

 [mike@Kaitain Titan,v4.1]$ sudo sh Titan -I *=*=*=*=* Information about modules/add-umask.sh  This program creates a default UMASK entry for all  of the boot time run scripts of 022 (forces the rc  scripts to create files of mode 644) *=*=*=*=* Information about modules/adjust-arp-timers.sh  This changes the system configuration to shorten the ARP expiration  timer to one minute instead of the default 20 minutes. This stops some  of the ARP hijacking, ARP spoofing attacks. A better solution is still  to use encrypted sessions, as they are harder to hijack/spoof.  The program modifies /etc/rc.d/rc2.d/S??inet adding in the lines:         ndd -set /dev/ip ip_ire_flush_interval 60000     /* 1 min */         ndd -set /dev/arp arp_cleanup_interval 60000     /* 1 min */ *=*=*=*=* Information about modules/aliases.sh  check /etc/aliases or /etc/mail/aliases for any programs  that mail is piped to and comment out

Titan's Fix mode works best for Solaris platforms because the modified settings are less likely to interfere with other security measures provided by various Linux distributions. For example, notice that in the previous example, Titan would run RedHat checks against the Mandrake system. The two Linux distributions are similar but do not have identical administration and security settings. Solaris, for the most part, installs with a standard suite of tools and default settings.


Previous page
Table of content
Next page
Anti-Hacker Tool Kit
Anti-Hacker Tool Kit, Third Edition
ISBN: 0072262877
EAN: 2147483647
Year: 2006
Pages: 175
Authors: Mike Shema, Chris Davis, David Cowen
BUY ON AMAZON
MySQL Stored Procedure Programming
Qshell for iSeries
Cisco IP Communications Express: CallManager Express with Cisco Unity Express
Building Web Applications with UML (2nd Edition)
The New Solution Selling: The Revolutionary Sales Process That Is Changing the Way People Sell [NEW SOLUTION SELLING 2/E]
Twisted Network Programming Essentials
flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net
Privacy policy